Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Updated: N/A
Published: Oct 10th, 2020
Applies to:
Microsoft Defender Endpoint* for Mac (MDE for macOS)
*==formerly Microsoft Defender Advanced Threat Protection. (MDATP for macOS)
Audience:
- Security architect
- Security administrator
- Security analyst
- IT architect
- IT administrator
- IT help desk
- IT field support
Hi all,
Just like MDE for Linux (MDATP for Linux), just in case if you run into a high cpu utilization with WDAVDaemon, you could go thru the following steps:
You deploy MDE for Mac and a few of your Mac might exhibit higher cpu utilization by wdavdaemon (the MDATP daemon, and for those coming from the Windows world, a service).
It’s a balancing act of providing the protection and performance.
Even though we test different set of enterprise macOS application for compatibility reasons, the industry that you are in, might have a macOS application that we have not tested.
Security Administrators, Security Architects, and IT Administrators will need to tune these macOS systems to meet their specific needs.
Use the different diagnostic procedures below to identify the component that is causing the high cpu utilization.
The ISV (including in-house built apps) should be following the guide below of working with your Independent Software Vendor (ISV):
Partnering with the industry to minimize false positives
https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/#:~:text=Partnering%20with%20the%20industry%20to%20minimize%20false%20positives,Defender%20ATP%29%20protect%20millions%20of%20customers%20from%20threats.
And submitting it to the Microsoft Defender Security Intelligence portal https://www.microsoft.com/en-us/wdsi/filesubmission
Select “Software developer”.
Note: If for whatever reason, the ISV is not doing the submission, you should select “Enterprise customer”.
Check on your ISV’s website for a Knowledge base (KB) article for antimalware (and/or antivirus) exclusions.
If they have one and it states to exclude everything, then you should look at the “Work-around Alternate 2” below. Since you don’t want to punch a whole thru your defense.
If they don’t have a list, please open a support ticket with them. Meanwhile, to alleviate the problem you should look at “Work-around Alternate 2” below.
[Work-around Alternate 2]
Remove “Real-Time Protection” protection out of the way.
Troubleshoot performance issues for Microsoft Defender ATP for Mac
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf
Note: After going thru the steps above, don’t forget to re-enable Real-time protection in order for the data to collection to work.
Terminal (sudo/root)
mdatp config real-time-protection –value enabled
[Pre-requisite]
To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for macOS.
Enable Real-time Protection Statistics:
Terminal (sudo/root)
mdatp config real-time-protection-statistics –value enabled
Note: In Production channel
Note 2: Not needed in Dogfood and InsidersFast channels since its enabled by default.
Note 3: The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for macOS, locate the one with the highest number under the Total files scanned row and add an exclusion for it.
<reproduce the issue>
mdatp diagnostic real-time-protection-statistics –output json > real_time_protection_logs
Note: It’s going to be important to add the –output json in order to have it in json format, which the parser will be parsing.
mdatp config real-time-protection-statistics –value disabled
On your Windows system:
Create a folder in C:\temp\High_CPU_util_parser_for_macOS
From your macOS system, copy the outputreal_time_protection_logs to C:\temp\High_CPU_util_parser_for_macOS
Note: This parses json output format. If the output format is different, then you’ll need a different parser.
Note 2: This sample Powershell (PoSh) script is now available at https://github.com/MDATP/Scripts/blob/master/MDE_macOS_High_CPU_json_parser.ps1
#Clear the screen
clear
# Set the directory path where the output is located
$Directory = “C:\temp\High_CPU_util_parser_for_macOS”
# Set the path to where the input file (in Json format) is located
$InputFilename = “.\real_time_protection_logs”
# Set the path to where the file (in csv format)is located
$OutputFilename = “.\real_time_protection_logs_converted.csv”
# Change directory
cd $Directory
# Convert from json
$json = Get-Content $InputFilename | convertFrom-Json | select -expand value
# Convert to CSV and sort by the totalFilesScanned column
## –NoTypeInformation switched parameter. This will keep the Type information from being written to the first line of the file. If the Type information is written, it will mess up the column display in Excel.
### Optional, you could try using -Unique to remove the 0 files that are not part of the performance impact.
$json |Sort-Object -Property totalFilesScanned –Descending | ConvertTo-Csv -NoTypeInformation | Out-File $OutputFilename -Encoding ascii
#Open up in Microsoft Excel
Invoke-Item $OutputFilename
Save the file as MDE_macOS_High_CPU_json_parser.ps1 to C:\temp\High_CPU_util_parser_for_macOS
Note: You may want to first save it in Notepad or your preferred text editor, change UTF-8 to ANSI. Replace the double quotes (“) and the elongated dashes (-) before you try running the Powershell script.
Powershell (Run as admin)
MDE_macOS_High_CPU_parser.ps1
Microsoft Excel should open up.
Add the path and/or path\process to the exclusion list.
[To add the process and paths to the allow exception list]
These these:
Scan exclusions
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#scan-exclusions
Type of exclusion
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#type-of-exclusion
Path to excluded content
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#path-to-excluded-content
Path type (file / directory)
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#path-type-file–directory
File extension excluded from the scan
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#file-extension-excluded-from-the-scan
Process excluded from the scan
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#process-excluded-from-the-scan
To your MDM management product:
Intune profile
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1
Property list for JAMF configuration profile
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1
If you are setting it locally during a POC:
Configuration
Add/remove an antivirus exclusion for a file extensionmdatp exclusion extension [add|remove] --name [extension]
Configuration
Add/remove an antivirus exclusion for a filemdatp exclusion file [add|remove] --path [path-to-file]
Configuration
Add/remove an antivirus exclusion for a directorymdatp exclusion folder [add|remove] --path [path-to-directory]
Configuration
Add/remove an antivirus exclusion for a processmdatp exclusion process [add|remove] --path [path-to-process]mdatp exclusion process [add|remove] --name [process-name]
Configuration
List all antivirus exclusionsmdatp exclusion list
Reference:
Configuring from the command line
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#configuring-from-the-command-line
Thanks,
Yong
Twitter: @YongRheeMSFT
